It's not at all clear to me what you're saying here. Are you making a case that the whole report all put together is impactful? Or are you actually trying to argue that self-XSS is a critical security vulnerability?
The former; the author's report (short of seeing what was intentionally left out for proper disclosure reason) is credible, and Paypal's failure to respond/remediate the issue is improper.
Getting access in this way to users' financial accounts is absolutely a vulnerability.
They are getting access to the accounts of people who do not have 2FA enabled and whose credentials have been stolen. Every bounty program I've ever paid attention to would close that report. Risk-based anti-ATO systems are heuristic.
> They are getting access to the accounts of people who do not have 2FA enabled and whose credentials have been stolen.
Ok, first, and foremost, don't you think it's a problem if there are stolen accounts? Wouldn't it make sense to visit the .onion site that the author refers to in the article and lock access to all accounts found there?
> Risk-based anti-ATO systems are heuristic.
This is Paypal practicing DID, which is great. What's not great is that the 2FA defense system could be defeated.
> Every bounty program I've ever paid attention to would close that report.
Getting access to a user's financial account and being able to move their money is something I would take serious 100/100 times. I hope you're not paying attention to bounty programs in the financial sector.
